A guide to data protection and personal information

In an increasingly data driven world, it has never been more important to ensure that the personal information of individuals is protected. Schools and Trusts are required to process a vast amount of personal data, some of which is sensitive, so it is vital that appropriate systems and processes are set up. If data falls into the wrong hands, there is a risk of harm to individuals, not just identity theft and discrimination but also physical harm.  

Data protection legislation is in place to ensure that individuals’ data is used properly and fairly. The UK General Data Protection Regulation (UK GDPR) is the primary set of data protection law in the UK and non-compliance can result in large fines as well as reputational damage.  

Key principles

The UK GDPR sets out 7 key principles that should guide you in processing personal data. Those principles are: 

• lawfulness, fairness and transparency 

• purpose limitation 

• data minimisation 

• accuracy 

• storage limitation 

• integrity and confidentiality (security) 

• accountability 

Data types 

Personal data includes information such as pupil and employee names, addresses, information about pupil behaviour and attendance, employee’s bank details, information related to job applicants and staff contracts.  

Some data, known as “special category data”, is considered more sensitive and given greater protection in law. This includes medical information, racial or ethnic origin, biometric information (e.g. fingerprints), safeguarding matters, pupils with SEND and criminal offence data (e.g. outcomes of Disclosure and Barring Service checks on staff).  

Data Protection Officers (DPOs)  

All maintained schools and academies must have a designated data protection officer, although one individual can cover more than one school. Due to the significant level of responsibility, schools should make sure the data protection officer has the appropriate time, resources and support to carry out the role effectively. 

Policies and procedures  

Schools are legally required to have data protection policies and procedures in place and to ensure that these are regularly reviewed and updated. EPM have a range of model policies to help with this. 

Responsibilities 

All employees have a responsibility for data protection, so it is important to make sure that there is an understanding of such responsibilities across the staff team. Some employees may be required to share sensitive information with other schools, local authorities and other agencies, so they need to be clear on how and what it is appropriate to share. 

Subject Access Requests (SARs) 

Individuals, including children, have several information rights relating to personal data organisations hold about them. This includes access, rectification of inaccurate information and the right to erasure. Subject Access Requests (SARs) can be submitted verbally as well as in writing. The data controller (i.e. the school or Trust) is required to respond within one month, although this can be extended for a further 2 months if it is complex.  

Data security 

Schools and Trusts can implement processes to ensure security of personal data by: 

• Ensuring the use of strong passwords. 

• Shredding all physical copies of confidential documents and limiting unnecessary copies. 

• Encryption of all electronically stored personal information. 

• Installation of firewalls and virus protection software on school computers. 

• Limiting access to personal information wherever necessary. 

• Regular training of employees so that they understand their responsibilities. 

Further guidance

Detailed guidance for schools can be found at Data protection in schools - Guidance - GOV.UK (www.gov.uk) and further information on data protection can be found Information Commissioner's Office (ICO)  

If you’re looking for support in understanding your data protection responsibilities, or interested in learning more about our HR support, please talk to us.